From: Roberto Sassu <roberto.sassu@huawei.com>
To: <linux-integrity@vger.kernel.org>
Cc: <linux-security-module@vger.kernel.org>,
<linux-fsdevel@vger.kernel.org>, <linux-doc@vger.kernel.org>,
<linux-kernel@vger.kernel.org>, <silviu.vlasceanu@huawei.com>,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: [PATCH v2 09/15] ima: introduce securityfs interfaces for digest lists
Date: Tue, 7 Nov 2017 11:37:04 +0100 [thread overview]
Message-ID: <20171107103710.10883-10-roberto.sassu@huawei.com> (raw)
In-Reply-To: <20171107103710.10883-1-roberto.sassu@huawei.com>
This patch introduces the file 'digest_lists' in the securityfs filesystem,
to load digest lists metadata. IMA will parse the metadata and load the
digest lists from the path provided.
It also introduces 'digests_count', to show the number of digests stored in
the ima_digests_htable hash table.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Changelog
v1:
- Deny upload of digest lists if no policy is loaded
---
security/integrity/ima/ima_fs.c | 26 +++++++++++++++++++++++++-
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 4158ced5d3c9..1ed717d94487 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -34,11 +34,15 @@ static struct dentry *ascii_runtime_measurements;
static struct dentry *runtime_measurements_count;
static struct dentry *violations;
static struct dentry *ima_policy;
+static struct dentry *digest_lists;
+static struct dentry *digests_count;
static enum kernel_read_file_id ima_get_file_id(struct dentry *dentry)
{
if (dentry == ima_policy)
return READING_POLICY;
+ else if (dentry == digest_lists)
+ return READING_DIGEST_LIST_METADATA;
return READING_UNKNOWN;
}
@@ -66,6 +70,8 @@ static ssize_t ima_show_htable_value(struct file *filp, char __user *buf,
val = &ima_htable.violations;
else if (filp->f_path.dentry == runtime_measurements_count)
val = &ima_htable.len;
+ else if (filp->f_path.dentry == digests_count)
+ val = &ima_digests_htable.len;
len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
@@ -301,6 +307,9 @@ static ssize_t ima_read_file(char *path, enum kernel_read_file_id file_id)
pr_debug("rule: %s\n", p);
rc = ima_parse_add_rule(p);
+ } else if (file_id == READING_DIGEST_LIST_METADATA) {
+ rc = ima_parse_digest_list_metadata(size, datap);
+ datap += rc;
}
if (rc < 0)
break;
@@ -401,7 +410,8 @@ static int ima_open_data_upload(struct inode *inode, struct file *filp)
read_allowed = true;
seq_ops = &ima_policy_seqops;
#endif
- }
+ } else if (file_id == READING_DIGEST_LIST_METADATA && !ima_policy_flag)
+ return -EACCES;
if (!(filp->f_flags & O_WRONLY)) {
if (!read_allowed)
@@ -510,8 +520,22 @@ int __init ima_fs_init(void)
if (IS_ERR(ima_policy))
goto out;
+#ifdef CONFIG_IMA_DIGEST_LIST
+ digest_lists = securityfs_create_file("digest_lists", S_IWUSR, ima_dir,
+ NULL, &ima_data_upload_ops);
+ if (IS_ERR(digest_lists))
+ goto out;
+
+ digests_count = securityfs_create_file("digests_count",
+ S_IRUSR | S_IRGRP, ima_dir,
+ NULL, &ima_htable_value_ops);
+ if (IS_ERR(digests_count))
+ goto out;
+#endif
return 0;
out:
+ securityfs_remove(digests_count);
+ securityfs_remove(digest_lists);
securityfs_remove(violations);
securityfs_remove(runtime_measurements_count);
securityfs_remove(ascii_runtime_measurements);
--
2.11.0
next prev parent reply other threads:[~2017-11-07 10:43 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-07 10:36 [PATCH v2 00/15] ima: digest list feature Roberto Sassu
2017-11-07 10:36 ` [PATCH v2 01/15] ima: generalize ima_read_policy() Roberto Sassu
2017-11-07 10:36 ` [PATCH v2 02/15] ima: generalize ima_write_policy() Roberto Sassu
2017-11-07 10:36 ` [PATCH v2 03/15] ima: generalize policy file operations Roberto Sassu
2017-11-07 10:36 ` [PATCH v2 04/15] ima: use ima_show_htable_value to show hash table data Roberto Sassu
2017-11-07 10:37 ` [PATCH v2 05/15] ima: add functions to manage digest lists Roberto Sassu
2017-11-07 10:37 ` [PATCH v2 06/15] ima: add parser of digest lists metadata Roberto Sassu
2017-11-18 4:20 ` Serge E. Hallyn
2017-11-18 23:23 ` Mimi Zohar
2017-11-20 9:40 ` Roberto Sassu
2017-11-20 13:53 ` Mimi Zohar
2017-11-20 16:52 ` Serge E. Hallyn
2017-11-07 10:37 ` [PATCH v2 07/15] ima: add parser of compact digest list Roberto Sassu
2017-11-07 10:37 ` [PATCH v2 08/15] ima: add parser of RPM package headers Roberto Sassu
2017-11-07 10:37 ` Roberto Sassu [this message]
2017-11-07 10:37 ` [PATCH v2 10/15] ima: disable digest lookup if digest lists are not checked Roberto Sassu
2017-11-07 10:37 ` [PATCH v2 11/15] ima: add policy action digest_list Roberto Sassu
2017-11-07 10:37 ` [PATCH v2 12/15] ima: do not update security.ima if appraisal status is not INTEGRITY_PASS Roberto Sassu
2017-11-18 4:25 ` Serge E. Hallyn
2017-11-07 10:37 ` [PATCH v2 13/15] evm: add kernel command line option to select protected xattrs Roberto Sassu
2017-11-07 10:37 ` [PATCH v2 14/15] ima: add support for appraisal with digest lists Roberto Sassu
2017-11-07 10:37 ` [PATCH v2 15/15] ima: add Documentation/security/IMA-digest-lists.txt Roberto Sassu
2017-11-07 13:37 ` [PATCH v2 00/15] ima: digest list feature Mimi Zohar
2017-11-07 16:45 ` Roberto Sassu
2017-11-17 1:08 ` Kees Cook
2017-11-17 8:55 ` Roberto Sassu
2017-11-17 12:21 ` Mimi Zohar
2017-11-07 14:49 ` Matthew Garrett
2017-11-07 17:53 ` Roberto Sassu
2017-11-07 18:06 ` Matthew Garrett
2017-11-08 12:00 ` Roberto Sassu
2017-11-08 15:48 ` Matthew Garrett
2017-11-09 9:51 ` Roberto Sassu
2017-11-09 14:47 ` Matthew Garrett
2017-11-09 16:13 ` Roberto Sassu
2017-11-09 16:46 ` Matthew Garrett
2017-11-09 17:23 ` Roberto Sassu
2017-11-09 16:17 ` Mimi Zohar
2017-11-07 18:03 ` Safford, David (GE Global Research, US)
2017-11-08 10:16 ` Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171107103710.10883-10-roberto.sassu@huawei.com \
--to=roberto.sassu@huawei.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=silviu.vlasceanu@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).